#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

botnet | Breaking Cybersecurity News | The Hacker News

Category — botnet
Europol Shuts Down 100+ Servers Linked to IcedID, TrickBot, and Other Malware

Europol Shuts Down 100+ Servers Linked to IcedID, TrickBot, and Other Malware

May 30, 2024 Malware / Cyber Crime
Europol on Thursday said it shut down the infrastructure associated with several malware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot as part of a coordinated law enforcement effort codenamed Operation Endgame . "The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds," Europol said in a statement. "The malware [...] facilitated attacks with ransomware and other malicious software." The action, which took place between May 27 and May 29, has resulted in the dismantling of over 100 servers worldwide and the arrest of four people, one in Armenia three in Ukraine , following searches across 16 locations in Armenia, the Netherlands, Portugal, and Ukraine. The servers, according to Europol, were located in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, Ukraine, the United Kingdom, and the
U.S. Dismantles World's Largest 911 S5 Botnet with 19 Million Infected Devices

U.S. Dismantles World's Largest 911 S5 Botnet with 19 Million Infected Devices

May 30, 2024 Financial Fraud / Dark Web
The U.S. Department of Justice (DoJ) on Wednesday said it dismantled what it described as "likely the world's largest botnet ever," which consisted of an army of 19 million infected devices that was leased to other threat actors to commit a wide array of offenses. The botnet, which has a global footprint spanning more than 190 countries , functioned as a residential proxy service known as 911 S5 . A 35-year-old Chinese national, YunHe Wang, was arrested in Singapore on May 24, 2024, for creating and acting as the primary administrator of the illegal platform from 2014 to July 2022. Wang has been charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, Wang faces a maximum penalty of 65 years in prison. The Justice Department said the botnet was used to carry out cyber attacks, financial fraud, identity theft, child exploitation, harassment, bo
How to Get Going with CTEM When You Don't Know Where to Start

How to Get Going with CTEM When You Don't Know Where to Start

Oct 04, 2024Vulnerability Management / Security Posture
Continuous Threat Exposure Management (CTEM) is a strategic framework that helps organizations continuously assess and manage cyber risk. It breaks down the complex task of managing security threats into five distinct stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. Each of these stages plays a crucial role in identifying, addressing, and mitigating vulnerabilities - before they can be exploited by attackers.  On paper, CTEM sounds great . But where the rubber meets the road – especially for CTEM neophytes - implementing CTEM can seem overwhelming. The process of putting CTEM principles into practice can look prohibitively complex at first. However, with the right tools and a clear understanding of each stage, CTEM can be an effective method for strengthening your organization's security posture.  That's why I've put together a step-by-step guide on which tools to use for which stage. Want to learn more? Read on… Stage 1: Scoping  When you're defin
Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique

Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique

May 28, 2024 Vulnerability / Server Security
The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. "CatDDoS-related gangs' samples have used a large number of known vulnerabilities to deliver samples," the QiAnXin XLab team  said . "Additionally, the maximum number of targets has been observed to exceed 300+ per day." The flaws impact routers, networking gear, and other devices from vendors such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel, among others. CatDDoS was previously documented by  QiAnXin  and  NSFOCUS  in late 2023, describing it as a  Mirai botnet variant  capable of performing DDoS attacks using UDP, TCP,
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

May 17, 2024 Cryptojacking / Malware
The cryptojacking group known as  Kinsing  has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The  findings  come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019. Kinsing (aka  H2Miner ), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was  first documented  by TrustedSec in January 2020. In recent years, campaigns involving the Golang-based malware have weaponized  various flaws  in  Apache ActiveMQ ,  Apache Log4j ,  Apache NiFi ,  Apache Tomcat ,  Atlassian Confluence ,  Citrix ,  Liferay Portal ,  Linux ,  Openfire ,  Oracle WebLogic Server , and  SaltStack  to breach vulnerable systems. Other methods have also invol
Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

May 06, 2024 Vulnerability / Server Security
More than 50% of the 90,310 hosts have been found exposing a  Tinyproxy service  on the internet that's vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as  CVE-2023-49606 , carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, the latter of which is the latest version. "A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution," Talos  said  in an advisory last week. "An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability." In other words, an unauthenticated threat actor could send a specially crafted  HTTP Connection header  to trigger memory corruption that can result in remote code execution. According to  data  shared by attack surface management company Censys, of the 90,310 hosts exp
Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million

Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million

May 02, 2024 Ransomware / Cyber Crime
A Ukrainian national has been sentenced to more than 13 years in prison and ordered to pay $16 million in restitution for carrying out thousands of ransomware attacks and extorting victims. Yaroslav Vasinskyi (aka Rabotnik), 24, along with his co-conspirators part of the  REvil ransomware group  orchestrated more than 2,500 ransomware attacks and demanded ransom payments in cryptocurrency totaling more than $700 million. "The co-conspirators demanded ransom payments in cryptocurrency and used cryptocurrency exchangers and mixing services to hide their ill-gotten gains," the U.S. Department of Justice (DoJ)  said . "To drive their ransom demands higher, Sodinokibi/REvil co-conspirators also publicly exposed their victims' data when victims would not pay ransom demands." Vasinskyi was  extradited  to the U.S. in March 2022 following his arrest in Poland in October 2021. REvil, prior to formally going offline in late 2021, was responsible for a series of high
New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw

New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw

May 02, 2024 Botnet / Vulnerability
A never-before-seen botnet called  Goldoon  has been observed targeting D-Link routers with a nearly decade-old critical security flaw with the goal of using the compromised devices for further attacks. The vulnerability in question is  CVE-2015-2051  (CVSS score: 9.8), which affects D-Link DIR-645 routers and allows remote attackers to  execute arbitrary commands  by means of specially crafted HTTP requests. "If a targeted device is compromised, attackers can gain complete control, enabling them to extract system information, establish communication with a C2 server, and then use these devices to launch further attacks, such as distributed denial-of-service (DDoS)," Fortinet FortiGuard Labs researchers Cara Lin and Vincent Li  said . Telemetry data from the network security company points to a spike in the botnet activity around April 9, 2024. It all starts with the exploitation of CVE-2015-2051 to retrieve a dropper script from a remote server, which is responsible for
New U.K. Law Bans Default Passwords on Smart Devices Starting April 2024

New U.K. Law Bans Default Passwords on Smart Devices Starting April 2024

Apr 30, 2024 IoT Security / Botnet
The U.K. National Cyber Security Centre (NCSC) is calling on manufacturers of smart devices to comply with new legislation that prohibits them from using default passwords, effective April 29, 2024. "The law, known as the  Product Security and Telecommunications Infrastructure act  (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks," the NCSC  said . To that end, manufacturers are required to not supply devices that use guessable default passwords, provide a point of contact to report security issues, and state the duration for which their devices are expected to receive important security updates. Default passwords can not only be easily found online, they also act as a vector for threat actors to log in to devices for follow-on exploitation. That said, a unique default password is permissible under the law. The law, which aims to enforce a set of minimum security standards across the b
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Apr 28, 2024 Credential Stuffing / Data Breach
Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials ('combo lists'), and scripting tools," the company  said  in an alert published Saturday. The findings build on a  recent advisory  from Cisco, which cautioned of a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Talos noted at the time, adding targets of the attacks comprise VPN appliances from Cisco, Check Point, Fortinet, Soni
Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services

Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services

Apr 17, 2024 IoT Security / Network Security
Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024. "These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos  said . Successful attacks could pave the way for unauthorized network access, account lockouts, or denial-of-service conditions, the cybersecurity company added. The attacks, said to be broad and opportunistic, have been observed targeting the below devices - Cisco Secure Firewall VPN  Check Point VPN Fortinet VPN SonicWall VPN RD Web Services  MikroTik  Draytek  Ubiquiti  Cisco Talos described the brute-forcing attempts as using both generic and valid usernames for specific organizations, with the attacks indiscriminately targeting a wide range of sectors across geographies. The source IP addresses for
10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet

10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet

Apr 09, 2024 Botnet / Crypto Mining
A threat group of suspected Romanian origin called  RUBYCARP  has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks. The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News. "Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks," the cloud security firm said . "This group communicates via public and private IRC networks." Evidence  gathered  so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw , which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net. "These phishing emails often lure victims into revealing sensitive i
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

Apr 09, 2024 Botnet / Vulnerability
Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices. Tracked as  CVE-2024-3272  (CVSS score: 9.8) and  CVE-2024-3273  (CVSS score: 7.3), the vulnerabilities impact  legacy D-Link products  that have reached end-of-life (EoL) status. D-Link, in an  advisory , said it does not plan to ship a patch and instead urges customers to replace them. "The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter," security researcher who goes by the name netsecfish  said  in late March 2024. Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even
Watch Out for 'Latrodectus' - This Malware Could Be In Your Inbox

Watch Out for 'Latrodectus' - This Malware Could Be In Your Inbox

Apr 08, 2024 Cybercrime / Network Security
Threat hunters have discovered a new malware called  Latrodectus  that has been distributed as part of email phishing campaigns since at least late November 2023. "Latrodectus is an up-and-coming downloader with various sandbox evasion functionality," researchers from Proofpoint and Team Cymru  said  in a joint analysis published last week, adding it's designed to retrieve payloads and execute arbitrary commands. There is evidence to suggest that the downloader is likely written by the same threat actors behind the  IcedID malware , with the downloader put to use by initial access brokers (IABs) to facilitate the deployment of other malware. Latrodectus has been primarily linked to two different IABs tracked by Proofpoint under the names  TA577  (aka Water Curupira) and TA578, the former of which has also been linked to the distribution of QakBot and PikaBot. As of mid-January 2024, it's been employed almost exclusively by TA578 in email threat campaigns, in some
Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals

Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals

Apr 01, 2024 Botnet / Mobile Security
Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store. The findings come from HUMAN's Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user's device into a proxy node without their knowledge. The operation has been codenamed  PROXYLIB  by the company. The 29 apps in question have since been removed by Google. Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server. The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks. "When a threat actor uses a residential proxy, the traffic from these
TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

Mar 29, 2024 Network Security / IoT Security
A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless. " TheMoon , which  emerged  in  2014 , has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024," the Black Lotus Labs team at Lumen Technologies  said . Faceless,  detailed  by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that's offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day. In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins. The Faceless-backed infrastructure has been assessed to be used by operators of malware such as  SolarMarker  and  IcedID  to connect to their comm
Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Mar 26, 2024 Online Gaming / DDoS Protection
Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game's reputation. Despite the prevalence of DDoS attacks on the game, the majority of incidents go unreported, leaving a gap in awareness and protection. This article explains what happens to a Minecraft server during a DDoS attack and how to protect against such attacks. For an in-depth version of the article,  check out this white paper . When Creepers Breach: What Happens When an Attack Is Successful When a Minecraft server is hit with a DDoS attack, players may have problems with logging in to servers, loading worlds, navigating biomes, using tools, and chatting. They can also experience general lags, disconnections, timeouts, or server crashes. These in-game disruptions can ruin the gaming experience for players while causing financial and reputational losses to
Expert Insights / Articles Videos
Cybersecurity Resources